Multiple technologies exist to verify and validate the identity of a requestor. Identity can be verified by using the combination of a username and a secret password or by using more advanced technologies like token cards, smart cards, Public Key Infrastructure Certificates. One shortcoming of all the former methods is that they all require that the identity of the requestor be known by the entity prior to the request is made. New technologies that are still work in progress like “Attribute Certificate” may help to overcome some of the limitations of its ancestors but still, does not allow to take into account the full context of the request like the location or the requesting method or device. But to date no technology allows the idea of a proxy in which one entity is able to delegate part of its rights to a second entity so that it could conduct actions on behalf on the first entity.
Those limitations become a major hurdle in a number of circumstances:
An Internet user cannot securely delegate part of its authority to a financial portal that would aggregate financial information from multiple banks, financial institutions, or financial information sources. Today, people have to share their identity information with companies acting as aggregators. As there are no ways for a bank to differentiate between a customer access and an aggregator access, the identity protection relies on the good behavior and internal security of the aggregator.
Corporations let their partner's employees access information in their extranet, but they lack a mechanism that immediately terminates this access when those employees' situation changes, such as leaving the company or change in the employee's role to one which does not warrant access to the information.
Telecommunication providers, especially those in the wireless sector, have great difficulties offering differentiated services to corporations for a reason very similar to the above management problem of corporate extranet. The problem is even more complex due to the fact that many external companies provide various pieces of information. Differentiated services include, but are not limited to, preferred services, contract management, delegated management.
To further refine the needs of wireless Data Service providers, Data Services Roaming is required. Data Service Roaming functions much like the voice roaming is available today, but goes beyond as it needs to handle a minimum of four parameter sets to grant/deny access to the service: subscriber, home operator, visited operator, service/content provider.
Lastly, corporations have recognized the need for enhanced security policies. For example, some corporations might want to prohibit access to critical data in un-trusted computers, which could be located in places such as airport business lounges. Authorization is, therefore, not only a function of identity, but also a function of the context of the access. Context definition covers without limitation: geographical location, time, device type, and device trust.
Accordingly, a need exists for an integration of technologies into a framework that would solve all of the preceding problems.